Though Apple retired iTunes for Mac in 2019 with the discharge of macOS Catalina, its legacy lives on for Home windows customers. Sadly, that legacy additionally consists of most of the safety issues that Home windows apps can fall sufferer to.
Earlier this week, researchers found an ideal storm of vulnerabilities that might flip iTunes for Home windows right into a critical safety threat. Whereas the method for exploiting this was a bit convoluted, it was nonetheless an open door that potential malware might make the most of.
The flaw was uncovered by Zeeshan Shaikh of the Synopsys Cybersecurity Analysis Middle (CyRC), which revealed some particulars on the issue after Apple launched iTunes 12.12.9 to patch the problem.
“The iTunes software creates a folder, SC Data, within the C:ProgramDataApple ComputeriTunes listing as a system consumer and offers full management over this listing to all customers. After the set up, the primary consumer to run the iTunes software can delete the SC Data folder, create a hyperlink to the Home windows system folder, and re-create the folder by forcing an MSI restore, which could be later used to realize Home windows SYSTEM degree entry.”
The iTunes 12.12.9 replace was quietly pushed out by Apple round Might 23, with patches for 2 safety issues that might permit apps to raise privileges, addressing the “logic difficulty with improved checks.” The invention of one of many two flaws was credited to Synopsys’ Shaikh, whereas the second was found by “ycdxsb” of VARAS@IIE.
It’s unclear how far again this vulnerability goes, nevertheless it’s secure to say it seemingly encompasses all variations of iTunes 12 earlier than the 12.12.9 repair. Therefore, if you happen to haven’t up to date iTunes for Home windows but, you need to achieve this instantly.
You’ll have to obtain the most recent model by means of the Microsoft Retailer, as the latest model Apple provides for direct obtain from its web site is iTunes 12.10.11, which very seemingly nonetheless consists of the vulnerability in query.
In keeping with Synopsis’ timeline, it first found the vulnerability in September 2022 and reported it to Apple, which confirmed its existence in November and launched a patch in Might. It’s unclear what took it so lengthy to reply, however since there’s no proof this difficulty was ever exploited, it was seemingly a decrease precedence for Apple. Then once more, that may be stated for iTunes for Home windows as a complete.
There have been persistent rumors over the previous few years that Apple would lastly break up up iTunes on Home windows, killing its bloated and monolithic app in favor of separate Music, TV, Podcast, and Books apps, very similar to it’s achieved on the Mac.
Sadly, none of these have ever come to fruition, and the Home windows platform lags even additional behind the Mac relating to Apple’s first-party apps, having by no means even gained the standalone Apple Books app that got here to the Mac as iBooks in 2013. Final fall, Apple launched a “preview” model of its TV app on the Microsoft Retailer; nevertheless, that’s seemingly solely as a result of it was simpler to create a brand new standalone app than replace iTunes so as to add assist for streaming Apple TV+ content material on Home windows.
Now that this vulnerability has been revealed, Home windows customers operating iTunes are now not protected by “safety by means of obscurity.” Unhealthy actors will undoubtedly start utilizing this new information to craft malware that might goal older variations of iTunes, making it far more essential to make sure you’re operating the most recent model of iTunes.